gitnexus-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit insecure patterns (a --api-key CLI flag and guidance to set OPENAI_API_KEY or save keys to ~/.gitnexus/config.json) that encourage or permit the agent to embed secret values verbatim in commands or output, creating a high exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's MCP server is started with "npx gitnexus@latest mcp", which fetches and executes a remote npm package (gitnexus@latest) at runtime, allowing that externally fetched code to run and potentially control agent behavior.